Network Performance and Security: Testing and Analyzing Using Open Source and Low-Cost Tools

Network Performance and Security

Testing and Analyzing Using Open Source and Low-Cost Tools

Chris Chapman

Steve Furnell, Technical Editor

Table of Contents

Cover

Title page

Copyright

Dedication

Chapter 1: Introduction to practical security and performance testing

Abstract

A Baseline Understanding of Security Concepts

Volumetric Attacks and Attack Frequency Across the Internet

Security Network Elements

A Baseline Understanding of Network Performance Concepts

Network Events that can Effect Hard and Soft Errors for Flows

Summary—Before We Start to Harden the Network

Chapter 2: Getting organized with initial audit of the network

Abstract

Goals and Objectives of this Chapter: Positive Identification of Valid Assets

Auditing Host Assets

Installing an NMS: SpiceWorks

Performing Audit of Server Assets

Documenting Network Element Objects

Documenting Topology Zone Assets

Documenting Information Assets

Adding the Network to the NMS

Chapter Summary

Chapter 3: Locking down the infrastructure: Internet, Wi-Fi, wired, VPN, WAN, and the core

Abstract

Locking Down and Optimizing the Core Network

Implementing 802.1x MAC Authentication

Optimizing Performance of the Network Edge and Core

Locking Down and Optimizing the WAN

Summary Putting Optimization and Security Together

Locking Down and Optimizing Organizational Wi-Fi Access

Optimizing Your External Firewall and Internet Connection

Summarizing Infrastructure Security

Chapter 4: Locking down and optimizing the windows client

Abstract

Keeping Windows Patched

Defining Approved Software

Setting User Rights Correctly and Locking Down Install Rights

The Importance of Windows UAC

Hardening Windows Networking

Local Firewalling and Mitigation

Hardening the Browser

Optimizing Windows Client Performance

Installing Windows and Component Software

Chapter 5: Server patterns

Abstract

Better Use of Your Hardware and Infrastructure

Server Clusters Are Software Defined

Virtualized Servers Has Elastic Performance

Virtualization Provides the Best Solution for Disaster Recover

More Intelligent Use of Storage

Some Recommendations and Caveats Regarding Virtualization

Securing the Hypervisor Host

NFV Server Chain Case studies

Hardening SSL

Self-Hosted Cloud File Storage

Chapter 6: Testing for security flaws using penetration testing

Abstract

Data Theft for Profit

Revenge Attacks

Industrial Espionage

Terrorism/Cyber Warfare

Arbitrary Reasons

Prepping Kali Linux for Use

Installing Empty for Automation

Metasploit Workflow

Chapter 7: Using Wireshark and TCP dump to visualize traffic

Abstract

Understanding Valid Traffic in the Network

Setting Up a Span Port

Using Capture and Display Filters

Example of Using Display Filters to Detect Reverse HTTP Meterpreter Shell

Using Custom HTTP Headers as a Backup Authentication

Looking for a Malware Signature Using Raw Hex

Debugging SIP Register with Display Filters

Using Built-In Wireshark Analysis Tools

Using Endpoints Statics

Determine Packet Length Distributions

Visualizing Performance With IOGraph

Using FlowGraph to Visualize Traffic

Collecting HTTP Stats in Wireshark

Using Wireshark Command Line Tools

How to Remotely Capture Traffic on a Linux Host

Merging/Slicing PCAP Files Using Mergecap

Getting Information About a PCAP File Using CAPINFOS

Editing a Capture File with Editcap

Using TCPdump

Filter Captures with TCPdump

Chapter 8: Using SNORT

Abstract

Building and IDS Appliance with SNORT

Installing SNORT

Building and Update Script to Update the System and SNORT

Configuring and Using SNORT

Configuring Intrusion Detection Mode

Capturing Packets with DAQ

Snort Basic Output

Actions, Limits, and Verdicts

Running Snort as a Daemon

Configuring snort.conf File

Example SNORT Rules

Installing Snorby: SNORT Visualized

Chapter 9: Live traffic analytics using Security Onion

Abstract

Building Security Onion

Updating Security Onion Appliance

Replaying PCAP Traffic in Security Onion

Using Snorby for Threat Visualization

Setting Snorby Preferences

Basic Snorby Usage

Decoding an Attack Event in Snorby

Another Perspective on IDS Using Squert

Using Sguil for Monitoring Post and Real-time Events

Additional Tools in Security Onion

Final Thoughts About Security Onion

Chapter 10: Traffic performance testing in the network

Abstract

Bandwidth, Packet Per Seconds and RFC 2544: Avoiding the False Positive

Optimal Testing Methodology

Testing with Streams: Ostinato

Testing TCP with iPerf3

Using NTOP for Traffic Analysis

Applied Wireshark: Debugging and Characterizing TCP Connections

Emulating the Behavior of the WAN for Testing

Chapter 11: Build your own network elements

Abstract

Building Your Own Router—VyOS

Building Your Own Open Source Switch: Open vSwitch (OVS)

Building Your Own Open Source Server Load Balancer (SLB)

Setting Up a DHCP Server in Ubuntu

Building Your Own LAMP Server

Chapter 12: Request for proposal and proof of concept example usecases

Abstract

Evaluating an L3 Switch

Subject Index

Copyright

Syngress is an imprint of Elsevier

50 Hampshire Street, 5th Floor, Cambridge, MA 02139, USA

Copyright © 2016 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies, and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

ISBN: 978-0-12-803584-9

For information on all Syngress publicationsvisit our website at https://www.elsevier.com/

Publisher: Todd Green

Acquisition Editor: Brian Romer

Editorial Project Manager: Anna Valutkevich

Production Project Manager: Punithavathy Govindaradjane

Designer: Matthew Limbert

Typeset by Thomson Digital

Dedication

This book is dedicated to Joan. Without her, nothing would be possible.

Chapter 1

Introduction to practical security and performance testing

Abstract

I will introduce the reader to some basic security concepts including types of attacks, best practices including description. Then network security devices and their subfunctions will be introduced. Finally, the user will understand what perception user experience is, how it is measured, the difference between soft and hard errors, and how users formulate quality of experience.

Keywords

attack

DDoS

malware

penetration testing

volumetric attack

quality of experience (QoE)

perceptual user experience

firewall

IPS/IDS

proxy server

botnet

cross site scripting attack (XSS)

worm

virus

trojan horse attack

zero-day attack

SQL injection attack

hard QoE errors

soft QoE errors

This book is intended to help you practically implement real-world security and optimize performance in your network. Network security and performance is becoming one of the major challenges to the modern information technology (IT) infrastructure. Practical, layered implementation of security policies is critical to the continued function of the organization. I think not a week goes by where we do not hear about data theft, hacking, or loss of sensitive data. If you dig deeper into what actually happens with security breaches, what you read in the news is only a small fraction of the true global threat of inadequate or poorly executed security. One thing that we all hear when an article or a news item is released is excessive amounts of buzz words around security, with little content about how it may have been prevented. The truth is, security mitigation is still in its infant stages, following a very predictable pattern of maturity like other network-based technologies. Performance is another critical part of a well-performing network. Everyone knows they need it, but to test it and measure it is not only a science, but also an art.

I assume that the reader of this book has a desire to learn about practical security techniques, but does not have a degree in cyber security. I assume as a prerequisite to implementing the concepts in this book, the reader has a basic understanding of IT implementation, has a mid level experience with Windows and Active directory, and has had some experience with Linux. Furthermore, my intent in this book is to minimize theory and maximize real-world, practical examples of how you can use readily available open source tools that are free, or relatively low cost, to help harden your network to attacks and test your network for key performance roadblocks before and during deployment in a production network. In fact, the major portion of theory that I will cover is in this chapter, and the focus of that information will be on giving you a baseline understanding in practical deployment and applications of security and performance. I also assume noting, and will take you through execution of best practices.

A Baseline Understanding of Security Concepts

What is an attack? It is an attempt to gather information about your organization or an attempt to disrupt the normal working operations of your company (both may be considered malicious and generally criminal). Attacks have all the aspects of regular crime, just oriented toward digital resources, namely your network and its data. A threat uses some inefficiency, bug, hole, or condition in the network for some specific objective. The threat risk to your network is generally in proportion to the value or impact of the data in your network, or the disruption of your services no longer functioning. Let me give a few examples to clarify this point. If your company processed a high volume of credit card transactions (say you were an e-commerce business) then the data stored in your network (credit card numbers, customer data, etc.) is a high target value for theft because the relative reward for the criminals is high. (For example, credit card theft in 2014 was as high as $8.6B [source: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014].) Or, if your business handles very sensitive data, such as patient medical record (which generally have the patient-specific government issued IDs such as social security numbers attached), you are a prime target. In either case, the value of data in your network warrants the investment and risk of stealing it. Say, you are a key logistics shipping company, the value to the attacker may be to disrupt your business, causing wider economic impact (classic pattern for state-sponsored cyber terrorism [example: http://securityaffairs.co/wordpress/18294/security/fireeye-nation-state-driven-cyber-attacks.html]). On the other hand, if you host a personal information blog, it is unlikely that cyber crime will be an issue. To put it bluntly, it is not worth the effort for the attackers. The one variable in all of this is the people who attack network because they can. They tend to use open source exploit tools, and tend to be individuals or very small groups, but can be anywhere on the Internet. We have to be aware of the relative value of our data, and plan security appropriately.

There are many ways of attacking a network, let us spend a few moments and cover some of the basics of security and performance. If we divide attacks into their classification, we can see the spread of class of attacks growing over time. What types of attacks may you experience in the production network?

DDoS Attack

DDoS, or distributed denial of service, attacks are an attack class with the intent to disrupt some element of your network by utilizing some flaw in a protocols stack (eg, on a firewall), or a poorly written security policy. The distributivenes comes into play because these attacks can first affect devices such as personal computer (PC) or mobile device on the Internet, and then at a coordinated time, can attack the intended target. An example would be a TCP SYN flood, where many attempted, but partial, TCP connections are opened with the attempt to crash a service on the target. DDoS attacks may also be blended with other exploits in multistage attacks for some multistage purpose.

Botnet/Worm/Virus Attack

A botnet is a code that first attempts to install its self within the trusted portion of your network, though combined and blended attacks may spread to other resources across your network. A botnet has two possible objectives. First, spread as far and as fast as it can within the target domain and then at a specified time, bring down elements in the network (like PCs). Second, a botnet can quietly sit in the network, collect data, and phone home back to a predefined collection site over well-known protocols. This is considered a scrapping attack because data are collected from behind your firewall and sent over known-good protocols such as HTTP/HTTP(S) back home.

Trojan Horse

A trojan horse is a type of attack that embeds the malicious code in some other software that seems harmless. The intent is to get the user to download, install, and run the innocent software, which then will case the code to infect the local resource. Another great example of this is infected content that is downloaded off of P2P networks such as Bittorent; the user runs the content and the malicious code is installed.

Zero-Day Attack

A zero-day attack is a traffic pattern of interest that in general has no matching patterns in malware or attack detection elements in the network. All new attacks are characterized initially as zero-day attacks.

Keyloggers

A keylogger is a code that is installed by malware and sets on a device that has keyboard input (like a PC) and records keystrokes. The hope of the keylogger is that it will capture user login credentials, credit card number, government ID numbers, which can later be sold or used. Keylogger can be deployed by botnets, or themselves be deployed. Variants of keyloggers will look at other inputs and records. For example, variant code may listen to your built-in microphone or record video from the integrated camera (or just take periodic snapshots).

SQL Injection Attack

Chances are you have an SQL database somewhere in your network. Attackers know this and know by its very nature that the database holds valuable data, or at the least is a choke point in the workflow of your business. An SQL injection attack uses malformed SQL queries to perform one of two possible functions. First, the simplest attack is to crash some or part of the database server. This has the obvious effect of stopping business workflows. Second, an SQL attack may be used to selectively knock down part of the SQL server, exposing the tables of data for illicit data mining.

Cross-Site Scripting Attack (XSS Attack)

The modern platform for application is the web. What this means is that the sophistication of what is served and processed has greatly increased. The web has moved from a simple text-based system to a full application API. A cross-site scripting attack takes advantage of this sophistication by attempting to modify the middle ware of the web application. For example, it may insert JavaScript inside of code to bypass a login, capture data, and phone home or become purely malicious. This class of attack is a good example of how attackers desire malicious code to be undetected for as long as possible, especially when the exploit is attempting to collect data.

Phishing Attack

A phishing attack can come in many forms, but generally focus on web content modification and emails. The idea behind a phishing attack is to look legitimate, attempt the target to give sensitive data, and capture/sell the data for profit or use it for malicious means.

Rootkit

A rootkit is a special type of worm that can embed its self deeply into the operating system (thus the Root) such that it can take over the system involuntarily. Rootkits can be very difficult to remove and detect.

Firmware Virus

A firmware virus will attempt to reflash elements that have firmware, such as your hard drive or PC EFI. This is related to the rootkit family of attacks and in some cases can physically destroy equipment. For example, a virus inserted in a hard drive firmware can destroy the lower layer formatting of the drive, or corrupt TRIM setting to accessibly use SSD memory cells to failure. On a server, EFI virus could increase CPU core voltage and turn off fans to cause death by heat.

Hijack Attack/Ransomware

This class of attack attempts to take a legitimate active session and insert or redirect data to a collector. For example, imagine an e-commerce session, where users shipping and credit card information is captured. This class of attack is sometimes called a Man in the Middle attack. In the case of Ransomware, the attack will shut down the device functions and make the user pay, sometimes even a small amount, to unlock their PC. Attackers know that if a user pays, say $5, to recover their gear, it may not be worth reporting. This, multiplied by millions, can be big business.

Spoof/Evasion Attack

In this class of attack, the attacker intentionally rewrites Ipv4, UDP, and TCP fields to try to hide from firewall rules. For example, if I take an attack and use IPv4 fragmentation, I might be able to hide the attack from the firewall policy rules, because as the attacker, I hope the firewall pattern matching code does not cover this condition.

Buffer Overflow Attack

Typically, network application, protocol stacks, buffers, and queues expect data request in a structured format. A buffer overflow attack will attempt to intentionally send malformed or excessive data to crash some or part of the application, firewall, or any network element in between. Sometimes, this is called a knockdown attack.

Password Attack

This kind of attack uses automation to break a password by many iterations. There are three types of approaches: Brute-force, dictionary, and hybrid attempts. This is always a roll of the dice, but in some cases, especially with a dictionary technique, attackers know users have poor password selection habits, and will try clusters of known combinations first.

Penetration Attacks

A penetration attack is more complicated than other types of attacks, because it tends to be multistage, distributed, and orchestrated. These types of attacks can be the most damaging, because generally they require a level of sophistication and resources to achieve their target. Many security breaches you might hear about in the news are sophisticated penetration attacks, especially if there is a large volume of data theft. Penetration attacks are like high stakes poker. It requires skills, patience, strategy, and stages, but has very large payouts if successful.

Malware

Malware is a generic class of attack that may refer to distributed as trojans, worms, botnets via applications, websites, or emails. Malware is the most prodigious form of attacks, with Q4 millions of variants flowing through the Internet annually. It should be noted that attacks can form hierarchies. For example, malware may be used to insert rootkits or keyloggers. Malware may also insert other malware as a cascading infection through your network.

Volumetric Attacks and Attack Frequency Across the Internet

With over 82,000 new malware attacks daily [source: http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html], it should be assumed that you will be attacked hourly. It is projected that by 2020, this rate will increase to over 100 GBps per day, every day, 365 days a year [source: https://www.neustar.biz/resources/whitepapers/ddos-protection/2014-annual-ddos-attacks-and-impact-report.pdf]. So form the perspective of your network; it is a safe bet that each and every day you will be either directly targeted or indirectly experience attacks on your public Internet peering points. Understanding this point is very important, because it is no longer when but how and where you will be targeted. Knowing that you will be perpetually attacked, and still having the requirement of transacting business over the Internet is a critical mindset toward security and performance of the modern network.

There are two really good websites that will show live attacks based on a world map.

NorseIP (http://map.ipviking.com/) and Digital Attack Map (http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16843&view=map) will show live attacks based on country.

Both of these sites should be used to see patterns of attacks across the Internet. The intent is to demonstrate scope and scale of attacks that happen daily.

Security Network Elements

So, what are the devices and subsystems in the network that can help manage security? These devices should always allow with minimal impact for valid user workflows while catching and mitigating attacks.

Here are some of the devices.

Distributed Firewall

Original firewalls were a single appliance with a trusted, untrusted, and DMZ network connections. They would have a policy that would allow or drop conversations. This model has evolved into a distributed firewall, which will allow you to write an enterprise-wide policy and distribute it across key peering points in the network as well as firewall nodes sharing threat information network wide. So what are some of the functions of the modern firewall.

Traffic access policy

Access policies are the rules that you decide you wish to allow between zones. Implicit in these policies is a Deny All which is implied at the end of your policy. Therefore, traffic you explicitly do not allow should be denied. The concept of creating the smallest number of Pinholes in the policy is considered a best practice. Older firewall technology was based on ACCPT/DENY/IGNORE rules on the basis of destination TCP or UDP port numbers. This class of firewall is considered obsolete and should not be used. The reason is simple, destination port numbers are far easy to spoof. The modern policy will not only know the transport protocols like HTTP, but it should also understand services such as specific web applications and SIP.

Access control

Access control is a Go/No-Go policy that looks at source, destination, and traffic and makes a decision to allow or deny a conversation. It is considered mild security, but is useful to deploy in a layered security model.

Location management

Where is the user geographically sourced. Are they from an approved location or not?

User management

Who specifically is using the application, and are they authorized?

Access times

Is this user allowed this workflow at this time, or not?

Workflow intelligence

Is this person allowed access to this par of the application or not?

Logging

Logging, or documentation of event to a central logging server, will keep a historical record of events. Logging can be very CPU intensive, so what and how you log is critical. Best practice is to log negative events. In some jurisdictions, logging is becoming a legal requirement.

Remote access/VPN

Remote access, generally subdivided into site-to-site (remote branch) and remote access (point-to-point) virtual private network (VPN), is a technology that creates a tunnel through the Internet that is secure and encrypted. The main flavors are IPSec (older) and SSL-VPN (newer).

IPS/IDS

The purpose of this element is to detect or prevent intrusion and perform some action. Typically, this element will either be passively inline with traffic (IPS) to allow it to block attack, or hang off of a network tap (IDS) such that the element will detect and perform some action. For example, the IPS/IDS service contains a database of patterns that predict an attack. If a traffic flowing through the appliance triggers three patterns, and IDS will log the event, IPS will attempt to block the traffic.

Proxy Server

A proxy server is a device that will terminate TCP connections and regenerate them on the outbound side. Typically, the user must configure the proxy server and port number in the local application, such as the web browser. Proxy servers can be a layer of protection, because they isolate traffic above TCP/UDP from the original connections. This has the benefit of potentially blocking TCP-based attacks. Proxy server should be considered a layer of security, but should never be deployed as the exclusive element of security.

ToR Network

The Onion Router (ToR) is an anonymity routing technology that hides the identity of users through random path routing. A ToR shim is useful to evade specific pathways (where people may be spying) since it picks paths randomly. ToR is not absolutely secure, and must always be combined with other encryption to improve security.

Personal Firewall/Anti-Virus/Anti-Malware

This class of security object is typically installed on the desktop. They tend to perform Leaf analysis, inspecting the local file system and memory for infections. They can use significant local resources, and generally require syncing to keep the local database up to date. The implication of the personal firewall is two fold. First, the firewall is only as good as the underlying technology used to scan traffic. It is possible for a firewall to miss an attack because the scanning engine was not engineered to detect the attack. Second, a firewall is only as good as its last database sync. The implication is that periodic work is required for all nodes to keep up to date.

A Baseline Understanding of Network Performance Concepts

Network performance is one of those topics that everyone knows they need, but is hard to quantify and qualify. I would like to spend a moment and discuss network performance, what it is, what effects performance, and how it is measured. Network performance is related to security in the sense that both attack mitigation, attack effect and quality of experience must be measured together. All three vectors of performance are considered entangled.

What is Network Performance?

First, network performance is not one thing; it is many things working together for a user experience. As more services are placed on the network such as voice, video, data workflows within the company, a decrease in user experience is not only annoying to the users but can sharply reduce productivity in the network. So, performance testing is really the study of user experience over time in the network from different populations, under different conditions.

Psychology of User Experience

The modern user relies upon the network being available, always on, predictable, and reliable. For example, if a user browses to an internal CRM system, and gets a "404 Error, the event breaks availability and predictability requirements of the user, and perceptual experience goes down because they simply cannot do their job. In many ways, the old POTS (Plain Old Telephone System, or pre Internet voice networks) dial tone concept of 99.999% uptime at fiber optic quality (remember the old add of hearing a pin drop) has set a benchmark and is transformed into a form of a Web Dial tone expectation. This is simply a reflection of the reliance of the user upon the network for even fundamental day-to-day operations. The first attribute of how users perceive user experience is that they do not recognize when workflows perform well; they simply expect this day in and day out. This is an important attribute to recognize, because the network can have a great experience factor for a full year, and users will tend to not take that fact into consideration. When a user in the network perceives a negative event such as a slow loading page, or disrupted voice quality on SIP, then they place a very strong weight on the times the network did not work vs. the times it did work. In general, users just expect the network and its services to just work all the time. Furthermore, users frame their experience on the basis of the service, not the protocol. What I mean by this is they will see the CRM" is good or bad, not HTTP and user experience is a measure perceived impairment for workflow within the service. So what can go wrong in a service? These are divided into hard and soft errors.

Hard Errors

When a user cannot login (authentication problem) or receives a 404 page not found error a hard error occurs. These events can occur randomly, periodically, or one shot. They are very measurable and discrete because the condition either exists or does not exist. Hard errors have a lot of perceived weight by the user because it directly prevents them from completing their task, increasing frustration. In addition, a hard error can be weighed on the basis of when and where it occurs. For example, if a user cannot log in to the CRM, the hard error impact on user experience can range from annoying (low impact coefficient) to panic (high impact coefficient) on the basis of the specific user condition and criticality of the desired user action. The bottom line on hard errors is that they are never good, they contribute the greatest to a negative user experience, they can be perceptually multiplied based on the user situation, and they take a very long time to balance out with well-performing workflows.

Soft